Financial
LATEST CYBERSECURITY CHALLENGES IN THE WORLD OF BFSI
Exclusive interview with Premchand Kurup, CEO, Paramount
Which emerging cyber risks are most likely to influence or reshape GCC banking regulations in the coming years?
We live in an era where nearly every banking service depends on advanced digital infrastructure, and cybercriminals are aware of it. With the emergence of AI, the risks have evolved even further, enabling attacks that can adapt and operate at an unprecedented scale. Over the period of 2024–2026, GCC banking regulations in the region are being influenced by the convergence of advanced ransomware, API-driven open banking risks and AI-enabled cyber threats.
Firstly, targeted ransomware and data extortion attacks against banks and fintechs in the Gulf region have evolved from isolated incidents into a persistent and systemic risk. Financial institutions in the UAE and across the GCC region have experienced a noticeable rise in incidents and malware activity through 2024 and into 2025 by nearly 100%, and this is specific to Paramount. . In response, regulators are tightening requirements for incident reporting timelines, operational resilience testing and recovery capabilities within central banks and national cybersecurity frameworks, with these requirements expected to become more stringent in 2026.
Secondly, the rapid expansion of open banking and digital transformation initiatives has made API security and cloud exposure critical regulatory concerns. Misconfigured cloud environments, weak API authentication, and complex third-party integrations are creating new attack surfaces that traditional perimeter-based security models cannot adequately protect. As a result, regulators in the UAE, Saudi Arabia, and other GCC countries are strengthening supervisory expectations around identity management, data protection and third-party risk management within banking regulations.
Additionally, the rise of AI-driven fraud and AI-assisted cyberattacks is reshaping how supervisors view the intersection of model risks and cyber risks. AI is being increasingly used to support credit assessment, KYC and fraud detection, while also being leveraged by attackers to scale phishing, social engineering and evasion techniques. This dual-use nature of AI is prompting regulators to develop guidance on AI governance, explainability and enhanced monitoring of AI-enabled processes in the financial sector.
What is one underrated cybersecurity innovation today that you believe will become critical for the Middle East’s BFSI sector over the next few years?
One of the most underrated cybersecurity innovations today, and yet one that is likely to become critical for the Middle East’s banking, financial services and insurance (BFSI) sector over the next few years, is behaviour-based analytics, which has become deeply integrated into security operations centre (SOC) functions and fraud detection systems. Numerous financial institutions still rely heavily on static, rule-based systems that trigger alerts based on fixed thresholds or known attack signatures. While effective against traditional threats, these approaches struggle to detect modern attacks that rely on lateral movement, living off the land (LOTL) techniques and sophisticated social engineering.
In contrast, behaviour-driven analytics establishs dynamic baselines for users, devices, applications and APIs. It continuously monitors the way accounts are accessed, transactions are executed and systems communicate, enabling early detection of anomalies that signal potential fraud or intrusion. These capabilities closely mirror the patterns observed in recent high-impact attacks on banks and fintechs across the region. For GCC banks navigating rapid cloud adoption, open banking frameworks and increasing use of AI in core operations, behavioural analytics is becoming essential. It allows institutions to distinguish legitimate high-volume digital activity from subtle intrusions, as highlighted in the report titled ‘2025 Global Digital Trust Insights – Middle East findings’.
Reflecting this shift, Paramount’s advisory and SOC services in the region are increasingly promoting a transition from purely rule-driven monitoring to a blended model that combines behavioural analytics, traditional rules, and threat intelligence. This integrated approach significantly improves detection speed and reduces false positives in complex Middle Eastern financial environments.
From the Paramount SOC’s perspective, approximately how many security incidents or threats have been monitored and mitigated this year
Over the last year we have issued over 592 critical advisories and mitigated them. Critical advisories are those that have the potential to halt business operations significantly.
The year 2026 has just begun, and we have issued nearly 100 advisories already.
Apart from critical advisories we have issued regular 318 advisories this year while the number stood at 2208 last year . We have just begun the year, but the number of alerts shows an increasing trend.
What types of cyber threats are most frequently detected and addressed by the SOC?
During the fiscal year 2024–2025, the most frequently detected threats identified by Paramount’s SOC include phishing and credential theft leading to account takeover, often using highly localised and AI-generated lures. SOC teams also regularly respond to ransomware and data extortion campaigns, alongside API, web application, and DDoS attacks targeting digital banking platforms. Moreover, cloud misconfigurations and excessive access permissions remain a persistent risk, frequently identified through continuous monitoring and threat hunting.
How can C-suite leaders better prepare their organisations, and what proactive steps should banks take to stay ahead of fraud and cyber threats?
For banks across the GCC region, C-suite leaders need to treat cyber resilience as a core board-level business capability, and not simply as a technical or IT function. With cyber threats having direct implications for financial stability, reputation, and regulatory compliance, leadership should embed cyber risk into enterprise risk management frameworks and board reporting. Major threat scenarios such as prolonged digital channel outages, data extortion incidents, or systemic third-party failures should be quantified and reviewed alongside credit and liquidity risks, in line with evolving GCC regulatory expectations. Leaders should further align their cyber strategies with national cybersecurity frameworks and central bank guidance, using independent maturity assessments to identify gaps and prioritise investments through 2026.
From an operational and technology perspective, adopting a zero-trust approach across identities, devices, networks and applications is becoming essential, particularly in API-enabled and cloud-based banking environments. This should be supported by strong SOC and incident response capabilities, whether in-house or through specialised providers such as Paramount, to ensure 24/7 monitoring, rapid containment and documented playbooks for both regulators and customers. Banks also need to invest in advanced fraud analytics and behaviour-based monitoring to detect account takeover and payment fraud, particularly as AI tools make phishing and social engineering more convincing, as witnessed in recent UAE ransomware trends.
Equally important is rigorous third-party and supply chain risk management. This includes structured security due diligence and continuous monitoring of fintech partners, cloud providers and critical vendors, given the growing risk of indirect compromised paths into Gulf financial institutions. Finally, C-suite leaders should actively promote a strong cyber resilience culture. This involves running realistic simulations of ransomware, data leaks, and payment fraud scenarios to sharpen organisational readiness and showcase proactive resilience to regulators, customers and shareholders.
Given the distinct regulatory, cultural, and operational landscape of the GCC, what makes cybersecurity in the region’s BFSI sector uniquely challenging compared to the US or Europe?
Cybersecurity in the GCC region’s BFSI sector is uniquely challenging because financial institutions operate at the intersection of rapid digital transformation, high geopolitical relevance and complex, multi-layered regulation. From a regulatory standpoint, institutions in the region must comply simultaneously with national cybersecurity authorities, central banks, and in some cases, free zone regulators. These entities impose detailed requirements on controls, data protection and incident reporting, creating a more fragmented and demanding compliance landscape than in many single-jurisdiction markets. The situation is further complicated by strict data residency and data sovereignty rules, which significantly influence how banks can design and deploy cloud, analytics, and cross-border platforms.
Operationally, GCC banks are advancing quickly into digital, mobile and open banking services, often faster than ecosystem-wide security maturity. While this supports financial inclusion, it also expands the attack surface through APIs, cloud services, and fintech partnerships. At the same time, the Gulf region has become one of the most actively targeted regions for financially motivated cybercrime and disruptive attacks, with banks and fintechs featuring prominently in 2024–2025 reports on ransomware, DDoS campaigns and sophisticated fraud schemes. The combination of rapid innovation, partner security, high attacker interest and evolving regulatory expectations creates a risk profile that is distinct from more established markets in North America and Europe.
In response, Paramount’s work with GCC BFSI clients focuses on developing region-specific security architectures and systems rather than simply importing models from other geographies. This includes designing frameworks aligned with local regulatory obligations, regional threat intelligence and the operational realities of Middle Eastern institutions as they evolve through 2026.
Financial
WHY THE MIDDLE EAST’S DIGITAL IDENTITY INFRASTRUCTURE NEEDS A DEEPER TRUST LAYER

Stefan Deiss, CEO and Co-Founder, The Hashgraph Group
The Middle East has moved faster on digital identity than almost any other region in the world. The UAE Pass now connects residents to more than 5,000 government and private services. Saudi Arabia’s Absher platform has issued over 28 million unified digital IDs. Dubai has gone fully paperless across 45 government entities.
But these systems were built for a world where the main challenge was convenience: getting citizens online, reducing paperwork, speeding up access to services. The threats they were designed to handle were stolen passwords, forged documents and basic impersonation.
What they were not built for is an environment where artificial intelligence can generate a convincing human face in seconds, clone a voice from a few minutes of audio, and inject a synthetic video feed into a verification check in real time.
What distributed ledger technology actually adds
Most digital identity systems today are centralised. Your credentials sit in a government or enterprise database, and every time your identity needs to be checked, the system queries that database. Sometimes that means scanning your face against a stored biometric template. Sometimes it means pulling up your document records and cross-referencing them. Either way, the process depends on one central store of information being secure, accurate and available.
The model works until it doesn’t. A single database holding millions of identities is a high-value target. An attacker who gets in does not compromise one person. They compromise everyone. And the tools available to attackers are improving fast.
The GCC fraud detection market has reached $1.2 billion. Deepfake attacks on identity systems are surging globally. In May, the Saudi Data and Artificial Intelligence Authority published updated deepfake guidelines that explicitly recommend blockchain-based provenance systems to establish traceable records of original content. The guidelines identify identity impersonation through cloned voices and facial simulations as a major risk, and single out finance, politics and identity verification as sectors requiring priority monitoring.
This is the context in which distributed ledger technology becomes relevant. Decentralised identity flips the conventional model. Instead of credentials sitting in someone else’s database, you hold them yourself, in a digital wallet on your device. When you need to prove something, you present only the specific credential required. The verification is recorded on a distributed ledger, a shared record maintained across a network of independent computers rather than controlled by any single organisation. Nobody owns it, can alter it, and shut it down.
Then there are zero-knowledge proofs. This is a way of proving something is true without revealing the underlying information. You could prove you are over 18 without showing your date of birth. You could prove you hold a valid professional licence without disclosing your name or address. The verifier gets the confirmation they need. You keep everything else private.
There is no single database to breach. The individual controls what information is shared and with whom. And every verification event is recorded permanently, creating an audit trail that regulators, enterprises and individuals can each trust independently.
In Sharjah, decentralised identity infrastructure has been integrated across a smart city ecosystem, making it one of the first urban environments in the world where residents, buildings and services interact through digital credentials rather than centralised databases.
The physical presence problem
There is a further gap that even well-designed digital identity systems do not currently address: physical presence.
Identity verification today confirms who someone claims to be remotely. It checks documents, runs facial recognition, performs biometric matching. What it cannot confirm is that a real human being is actually sitting in front of the screen. A synthetic face, a cloned voice and an injected video feed can sail through remote checks that were designed for an era when faking a human was genuinely difficult. That era is over.
The technology to close this gap exists. Ultra-wideband radar, the same short-range spatial sensing found in consumer devices, can detect physical presence with sub-10-centimetre accuracy. It can pick up vital signs such as breathing and heartbeat as a liveness check. When that presence event is cryptographically bound to a decentralised identity credential and recorded on a distributed ledger, the result is a tamperproof record proving a specific individual was physically present at a given location at a given time, verifiable by any authorised party without exposing personal data.
The applications stretch across sectors. In transport, a traveller approaching a gate at an airport or train station could be verified instantly: identity confirmed, physical presence proven, the event recorded permanently. The same logic applies to stadiums, conferences, concert venues and any gated environment where ticket fraud is a problem.
Why the Middle East is the right place for this conversation
The UAE government has announced its intention to transition 50 per cent of federal sectors and services to agentic AI within two years. When AI agents begin autonomously processing licences, permits, compliance checks and cross-border transactions, the question of who authorised what, and whether a human was genuinely involved at the point of decision, becomes critical. Without a verifiable link between a physical person and a digital action, agentic AI systems become vulnerable to impersonation at a scale that manual fraud teams cannot monitor.
The region also has structural advantages that most other markets do not. Governments in the Gulf are bringing policy, investment and technology deployment together under unified national strategies. Saudi Arabia’s Vision 2030, the UAE’s digital economy strategy targeting 20 per cent of non-oil GDP by 2030, and the broader push toward smart city infrastructure all create an environment where new identity infrastructure can move from concept to deployment far faster than in markets weighed down by legacy systems and fragmented regulation.
What comes next
The digital identity systems the Middle East has built over the past decade are genuine achievements. But they were designed for a world where the person on the other end of a verification check was assumed to be real. That assumption is becoming less reliable every quarter.
The next generation of identity infrastructure needs to do three things. It needs to remove single points of compromise by decentralising how credentials are stored and verified. It needs to give individuals control over their own data through zero-knowledge proofs and selective disclosure. And it needs to prove physical presence at the moment of verification, closing the gap that synthetic media is already exploiting.
About the Author:
Stefan Deiss is Co-Founder and CEO of The Hashgraph Group (THG), a Swiss-based Web3 and AI technology engineering company specialising in enterprise solutions built on the Hedera network.
Stefan brings over two decades of experience in technology and business transformation. He spent 11 years at Orange Business Services before moving to Zurich Insurance Group, and went on to found his own consulting firm in 2013. In 2016, he co-founded The Hashgraph Group, which today operates globally with offices across Switzerland, Abu Dhabi, Hong Kong, and beyond.
Under his leadership, THG has developed a suite of enterprise products including TrackTrace for EU Digital Product Passport compliance, IDTrust for decentralised digital identity, and EcoGuard for sustainability and carbon markets. He is also co-inventor of CITI (Continuous Identity Trust Infrastructure), a patent-pending cryptographic framework that binds physical presence to digital identity.
Financial
QASHIO BRINGS CUSTOMERS EXCLUSIVE ACCESS TO THE FIFA WORLD CUP 2026™ FAN ZONE EXPERIENCE
Qashio, the MENA region’s leading spend management solution, is rewarding its UAE customers with exclusive FIFA World Cup 2026™ fan experiences, including premium viewing access, interactive competitions, and hospitality benefits at Emirates Golf Club’s Footy Central in Dubai. The initiative gives customers the opportunity to experience a dedicated football watch party destination during the world’s biggest football tournament.
Running from 11 June to 19 July 2026, Footy Central will screen live matches alongside themed F&B, interactive games, family-friendly activities, competitions, and matchday entertainment. The programme builds on the global appeal of football’s premier event, which reached more than five billion viewers across all platforms during its previous edition, and reflects Qashio’s value proposition beyond spend management by turning client loyalty into tangible rewards and premium benefits.
The campaign will unlock exclusive access to selected matchday rewards and fan activations for Qashio customers, including F&B vouchers, matchday credits, Viya Points, gaming rewards, and VIP hospitality experiences. Viya Points, the digital reward currency within the Viya App ecosystem, can be redeemed across a premium lifestyle network of 400 venues, extending the value of the campaign beyond the matchday.
Guests can participate in the Ronaldo Header Challenge, where they can test their heading accuracy, while the FIFA Console Zone will host the PS5 FIFA Esports Challenge: Road to the Cup, with guests competing in head-to-head matches for leaderboard positions and daily rewards. Half-time engagement will include lucky draws during key matches, alongside Predict & Win competitions that reward guests for accurate match predictions.
Armin Moradi, CEO and Founder of Qashio, said: “Football is the most popular sport in the UAE among both Emiratis and the broader expat population, which makes the FIFA World Cup 2026™ a powerful moment to celebrate with our customers. Qashio was built to help businesses manage spend with more control and value, and this campaign extends that promise by turning loyalty into memorable experiences for finance leaders and teams across the country.”*
The FIFA World Cup 2026™ customer rewards campaign reflects Qashio’s broader approach to building a spend management platform that combines financial control with meaningful customer engagement. Through rewards, activations, competitions, and hospitality benefits, Qashio is continuing to create value for businesses beyond transactions, while giving customers new ways to engage with one of the most anticipated sporting events in the world.
For more information on the Footy Central experience and partnership opportunities, visit the link.
Financial
How Geopolitical and Economic Disruption Are Reshaping the CRO Role in GCC Banking
As geopolitical uncertainty, tighter liquidity and digital disruption converge, the CRO role is evolving from compliance gatekeeper to strategic business leader.
For much of the past decade, GCC banks operated in an environment defined by strong liquidity, rapid credit expansion and relatively stable macroeconomic conditions. Supported by high oil revenues and ambitious national growth agendas, the region’s banking sector became synonymous with resilience, scale and sustained growth.
That resilience has been tested in recent months and, so far, the sector has responded well. Recent banking data published by the Central Bank of the UAE (CBUAE) and the Saudi Central Bank (SAMA) suggests that customer deposits have continued to grow despite heightened regional uncertainty.

Customer deposits increased by 17% year-on-year as of April 2026, and 2% from February to April 2026 in the UAE, while in Saudi Arabia, the growth in deposits was 11% year-on-year as of April 2026 and 2% from February to April 2026 , reinforcing both markets’ positions as regional safe havens for capital. Growth in monetary aggregates and non-resident deposits further suggests that regional and international investors continue to view GCC banking systems as stable, well-capitalized and resilient.
Importantly, there is little evidence so far of the capital flight or systemic liquidity pressures that some observers initially feared. Instead, the data suggests that the UAE and Saudi Arabia continue to play an important role as regional safe havens for capital, supported by strong banking fundamentals, prudent regulation and proactive central bank intervention.
Central banks have also played an important role. Proactive interventions helped preserve liquidity, support credit expansion and provide targeted relief to sectors facing short-term disruption. In the UAE, banks were able to extend working capital facilities and restructure short-term obligations for fundamentally healthy businesses, helping bridge temporary cash-flow pressures while maintaining confidence across the financial system.
As a result, resilience is no longer simply a measure of capital strength. It has become a strategic capability that underpins the sector’s ability to navigate an increasingly complex operating environment.

However, what is clearer than ever before is that the operating environment around banks is changing rapidly—and as a result, so is the role of the CRO.
The recent regional conflict accelerated that realization. Traditional stress-testing models were largely designed around financial shocks such as market volatility, liquidity tightening, and credit deterioration. What many institutions are now confronting is a far broader challenge, where geopolitical tensions, cyber threats, operational resilience, and credit risk can all influence one another simultaneously.
Across the GCC, this has prompted some banks to reassess whether existing business continuity and resilience frameworks are sufficiently equipped for a far more interconnected risk landscape.
This is particularly relevant in a region where regulatory frameworks have prioritized sovereignty, local data residency, and operational control. Recent events have also created an opportunity for institutions to reassess how these strengths can be balanced with greater operational flexibility and diversification, e.g., for digital data storage.
At the same time, a second structural shift is unfolding more quietly beneath the surface.
According to analysis from FTI Consulting, GCC banks originated close to $1 trillion in new lending between 2020 and 2025 across Saudi Arabia, the UAE and Qatar. Much of this growth took place during a prolonged low-interest rate environment and elevated liquidity conditions, meaning many portfolios, particularly across real estate and mortgage lending, have not yet been tested through a full economic stress cycle.
That could create a more complex operating backdrop for the years ahead.
For banks, the longer-term risk is not simply operational disruption. While business continuity and cybersecurity remain critical priorities, credit risk remains equally important. If short-term disruption were to evolve into a prolonged economic slowdown, pressure could emerge across borrower segments and asset classes, particularly in sectors that have benefited from strong credit expansion in recent years. In certain scenarios, a meaningful correction in real estate markets would have implications not only for borrowers but also for portfolio performance and risk provisioning across the banking sector.
This is precisely the type of forward-looking scenario that CROs must now anticipate, rather than simply respond to.
Modern CROs are increasingly expected to balance resilience, growth, operational continuity and profitability simultaneously, while helping institutions navigate a far more dynamic and interconnected operating environment. More importantly, the CRO can no longer afford to be purely backward-looking.
The institutions likely to outperform over the next decade will be those capable of identifying disruption early, adapting faster and embedding risk intelligence directly into strategic decision-making.
That requires a fundamentally different approach to risk management. One built around predictive intelligence, integrated scenario planning, dynamic stress testing and real-time decision-making.
Artificial intelligence and advanced analytics are becoming increasingly important in that transition.
Some leading regional banks are already investing in AI-enabled underwriting, early-warning systems and advanced collections capabilities that allow them to identify stress signals earlier and make more sophisticated portfolio decisions in real time. Others, however, continue to rely on fragmented legacy systems, manual workflows and reactive operating models.
That gap may become increasingly important during periods of disruption. Institutions that can identify emerging stress earlier, underwrite more effectively and anticipate portfolio deterioration before competitors will inevitably benefit from lower risk costs and stronger resilience outcomes.
Because in this new environment, resilience itself is becoming a competitive advantage.
The banks most likely to succeed will not necessarily be the largest or most conservative institutions. They will be the organizations capable of integrating risk more directly into strategic decision-making, modernizing operational infrastructure and responding dynamically to an increasingly volatile external environment.
The broader lesson for the sector is clear.
The GCC banking industry is entering a new era where resilience can no longer be measured purely through capital strength or regulatory compliance. Increasingly, resilience will be defined by adaptability and the ability to proactively anticipate interconnected geopolitical, operational, technological and economic disruption in real time.
And that shift is fundamentally redefining the CRO mandate across the region.
The institutions that recognize this early and empower their risk functions accordingly will likely be best positioned for the next phase of growth across GCC banking.
-
News11 years ago
SENDQUICK (TALARIAX) INTRODUCES SQOOPE – THE BREAKTHROUGH IN MOBILE MESSAGING
-
Trending8 months agoOPPO A6 Pro 5G Review: Reliable Daily Driver
-
Tech News2 years agoDenodo Bolsters Executive Team by Hiring Christophe Culine as its Chief Revenue Officer
-
VAR1 year agoMicrosoft Launches New Surface Copilot+ PCs for Business
-
Automotive2 years agoAGMC Launches the RIDDARA RD6 High Performance Fully Electric 4×4 Pickup
-
Tech Interviews2 years ago
Navigating the Cybersecurity Landscape in Hybrid Work Environments
-
Tech News12 months agoNothing Launches flagship Nothing Phone (3) and Headphone (1) in theme with the Iconic Museum of the Future in Dubai
-
VAR2 years agoSamsung Galaxy Z Fold6 vs Google Pixel 9 Pro Fold: Clash Of The Folding Phenoms


